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Summary  of  Key  Technical  Developments 

The  key  new  piece  added  in  this  reporting  period  is  the  implementation  and  complete  development  of 
the  automated  framework  we  described  for  the  Proof-Carrying  Hardware  IP  (PCHIP)  methodology  in  the 
previous  report.  Although  PCHIP  is  extremely  effective  in  preventing  hardware  Trojans  to  sneak  into  the 
final  product  through  third  party  hardware  IPs,  it  comprises  the  onerous  task  of  converting  a  design  to  a 
formal  representation  and  developing  proofs  for  the  desired  security  properties  and  thus  requires  extra 
knowledge  of  formal  reasoning  methods,  proof  development  and  proof  checking.  To  make  PCHIP  more 
striking,  we  pursued  automation  in  several  aspects  of  the  PCHIP  framework.  As  the  first  step  towards 
the  automation  of  PCHIP,  we  examined  and  improved  the  conversion  rules  from  HDL  to  Coq  formal 
representation  and  developed  an  automatic  convertor  named  Vericoq  [1]  to  convert  the  exact  circuit 
functionality  and  structure  into  the  Coq  formal  representation.  Vericoq  makes  the  conversion  process  of 
the  HDL  code  to  the  Coq  formal  representation  automatic  and  straight  forward,  and  creates  the  basis  for 
our  PCHIP  automation  framework.  However,  development  of  security  properties  stated  as  theorems  in 
Coq  and  construction  of  proofs  for  such  theorems  still  remains  in  the  responsibility  of  the  IP  developer 
and  still  requires  extra  effort  and  knowledge.  In  an  effort  to  automate  the  whole  process,  we  focused  on 
the  enforcement  of  information  flow  policies  as  we  presented  earlier  in  [2,  3],  which  is  mainly  applicable 
to  capture  sensitive  information  leakage  in  cryptographic  hardware  cores  through  design  flaws  or 
malicious  capabilities.  We  developed  VeriCoq-IFT  [4]  to  automate  all  the  extra  tasks  required  in  the 
PCHIP  methodology  for  information  flow  policies.  In  addition  to  automating  the  conversion  of  the  HDL 
code  to  the  Coq  formal  representation,  VeriCoq-IFT  automatically  generates  security  property  theorems 
to  ensure  information  flow  policies,  constructs  proofs  for  such  theorems  and  checks  their  validity  for  the 
design  with  minimal  user  intervention.  We  successfully  tested  this  automated  framework  by  utilizing  it 
to  evaluate  the  trustworthiness  of  several  genuine  and  Trojan  infested  DES  and  AES  cryptographic  cores. 

VeriCoq:  Automated  Verilog  to  Coq  Converter 

In  the  previous  reporting  periods  of  this  project  we  demonstrated  our  framework  for  hardware  IP 
protection  called  proof  carrying  hardware  intellectual  property  (PCHIP)  as  depicted  in  Figure  1.  In  this 
framework,  hardware  IP  developers  are  required  to  deliver  formal  proofs  of  a  set  of  security  properties 
for  the  design  along  with  the  HDL  code.  These  security  properties  are  crafted  in  a  way  that  prevent 
malicious  activities  in  the  hardware  IP,  are  specific  to  the  design,  and  are  stated  as  formal  theorems  in 
Coq.  Coq  allows  development  and  mechanized  checking  of  the  proofs  of  these  formal  security  property 
theorems,  and  thus  enables  the  trustworthiness  assessment  of  the  design  in  terms  of  these  security 
properties.  To  be  able  to  develop  the  proofs  of  the  security  properties  for  the  design,  the  hardware  IP 
should  also  be  described  formally  in  Coq.  For  this  purpose,  PCHIP  defines  rules  to  convert  the  design 
HDL  to  its  equivalent  Coq  representation.  To  make  this  conversion  task  easier,  we  revised  and 
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augmented  the  PCHIP  conversion  rules  and  developed  Vericoq  [1],  an  automatic  Verilog  to  Coq 
converter  which  precisely  converts  the  circuit  structure  and  functionality  to  the  equivalent  Coq 
representation.  Vericoq  supports  almost  every  synthesizable  statement  in  Verilog  and  can  manage 
arrays,  parameters  and  hierarchical  module  structures.  It  converts  a  design  in  Verilog  into  Coq 
representation  with  minimal  user  involvement.  In  [5]  we  showed  how  such  rules  and  conversion  helps 
to  ensure  the  trustworthiness  of  microprocessor  IPs  through  proof  checking  of  the  appropriate  security 
properties.  As  Figure  1  shows,  VeriCoq  helps  both  IP  developers  and  IP  consumers  in  PCHIP  framework. 
IP  developers  utilize  VeriCoq  to  convert  the  HDL  code  to  the  Coq  representation  and  develop  the  proofs 
of  security  properties.  On  the  other  hand,  IP  consumers  use  VeriCoq  when  checking  the  validity  of  the 
proofs  for  the  hardware  design. 


IP  Developer  Trusted  IP  Bundle  IP  Consumer 


Figure  1.  PCHIP  framework  and  VeriCoq  application 

Automated  PCHIP  Framework  for  Information  Flow  Policies 

Developing  security  properties  to  ensure  the  hardware  IP  trustworthiness  and  constructing  proofs  for 
them  is  generally  specific  to  each  design  and  there  is  a  narrow  room  for  the  automation  of  this  task. 
Information  flow  policies  stated  as  security  property  theorems  are  a  set  of  policies  which  ensure  that  no 
secret  information  is  leaked  through  untrusted  channels  and  are  mainly  applicable  to  cryptographic 
circuits  and  designs  which  manipulate  secret  and  sensitive  data.  Earlier  in  [2,  3]  we  demonstrated 
enforcing  such  policies  to  ensure  the  trustworthiness  of  cryptographic  hardware  for  DES  and  AES  cores. 
Information  flow  policies  allow  to  develop  a  common  structure  in  which  most  of  security  property 
theorems  and  their  proofs  can  be  constructed  automatically.  Normally,  information  flow  policies  are  not 
concerned  about  the  exact  functionality  of  the  circuit  and  type  of  operations.  Instead,  they  usually 
define  policies  regarding  to  the  interaction  of  information  in  the  design.  Therefore,  we  revised  the  rules 
to  convert  Verilog  design  to  Coq  representation  specifically  to  enforce  information  flow  policies.  While 
these  rules  are  comprehensive  enough  to  support  common  statements  and  structures  used  in  circuit 
description,  they  are  narrow  enough  which  allow  the  automation  of  security  property  theorems 
generation  and  proof  construction.  For  this  purpose,  developed  Vericoq-IFT  [4]  as  depicted  in  Figure  2, 
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which  aims  to  (i)  automate  the  process  of  converting  designs  from  HDL  to  the  Coq  formal  language  to 
evaluate  information  flow  policies,  (ii)  generate  security  property  theorems  ensuring  information  flow 
policies,  (iii)  construct  proofs  for  such  theorems,  and  (iv)  check  their  validity  for  the  design,  with  minimal 
user  intervention.  To  facilitate  the  process,  Vericoq-IFT  gathers  necessary  information,  such  as  the 
sensitivity  level  of  the  signals  in  the  design  or  the  declassification  operations  through  special  comments 
(pragmas)  in  the  HDL  code.  Thus,  the  hardware  IP  developer  does  not  need  anything  more  than  simply 
inserting  appropriate  comments  in  the  HDL  code.  Vericoq-IFT  also  analyzes  the  HDL  code  and  generates 
the  appropriate  theorems  to  enforce  information  flow  policies.  We  also  developed  various  lemmas  used 
to  prove  the  information  flow  policy  theorems.  Therefore,  VeriCoq-IFT  is  able  to  generate  the  proof  of 
those  theorems  for  the  design  without  user  intervention.  As  Figure  2  shows,  all  tasks  involve  in  the 
PCHIP  for  information  flow  policies  are  automated  by  VeriCoq-IFT  framework. 


Pass/Fail 


Figure  2.  VeriCoq-IFT framework 

To  utilize  VeriCoq-IFT  to  ensure  the  trustworthiness  of  hardware  IPs  in  terms  of  the  information  flow 
policies,  IP  consumers  first  need  to  verify  the  authenticity  of  the  special  comments  (pragmas)  which  are 
inserted  by  the  IP  developers  into  the  HDL  code  to  define  the  sensitivity  levels  of  the  signals  and 
declassifying  operations  for  VeriCoq-IFT.  Then,  IP  consumers  provide  the  HDL  code  to  VeriCoq-IFT  to  get 
the  design  in  Coq  representation,  IFT  policy  theorems  and  their  proofs.  By  providing  these  essential 
pieces  to  the  Coq  IDE,  IP  consumers  can  seamlessly  verify  the  proofs  and  evaluate  the  design 
trustworthiness. 

VeriCoq-IFT  in  Action 

We  utilized  VeriCoq-IFT  to  evaluate  the  trustworthiness  of  several  genuine  and  Trojan  infested 
cryptographic  cores.  These  evaluations  show  the  effectiveness  of  VeriCoq-IFT  and  its  capabilities  in 
handling  various  designs,  with  varied  complexities.  We  consider  two  different  implementations  of  DES, 
which  is  a  relatively  simple  cryptographic  algorithm  as  shown  in  Figure  3.  It  comprises  of  16  similar 
rounds,  preceded  and  succeeded  by  permutation  steps.  The  area  efficient  DES  core  we  evaluated 
implements  only  a  single  round  of  the  encryption.  Therefore,  the  complete  encryption  requires  to  be 
done  in  16  iterations.  Although  this  design  is  genuine,  the  proof  of  the  information  flow  policy  theorems 
fails  for  this  design.  Since  the  permutation  is  deterministic,  there  exists  a  potential  information  leakage 
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path  for  this  design  in  the  first  round  which  is  marked  in  Figure  3  and  is  captured  by  the  VeriCoq-IFT 
framework.  We  also  evaluated  another  high  performance  DES  core  which  is  a  pipeline  design  in  16 
stages.  The  Proofs  for  this  high  performance  DES  core  are  verified  in  Coq,  meaning  its  compliance  with 
the  information  flow  policies. 
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Figure  3.  DES  block  diagram 

We  also  evaluated  a  genuine  and  several  Trojan  infested  128  bits  AES  cores.  AES  is  a  more  complex 
encryption  algorithm  compared  to  the  DES  and  comprises  of  10  encryption  rounds.  Evaluation  of  the 
genuine  AES  core  is  successful  and  the  proofs  are  verified  in  Coq. 


AES-T100  —i—  i  AES-T1000  — i—  !  AES-T1200 


Figure  4.  Three  Trojan  infested  AES  designs  evaluated  by  VeriCoq-IFT 

To  have  further  evaluations,  we  considered  3  Trojan  infested  AES  designs  from  trust-hub  website  [6]  as 
shown  in  Figure  4.  These  Trojans  try  to  leak  8  bits  of  the  key  through  a  covert  channel  by  a  CDMA  like 
modulation.  Although  the  leaking  mechanism  is  similar  for  these  Trojans,  they  have  different  triggers. 
AES-T100  is  always  active,  AES-T1000  is  triggered  by  a  predefined  plaintext  input,  while  AES-T1200  is 
activated  after  a  predefined  number  of  encryptions.  Proofs  of  information  flow  policies  fails  for  these 
Trojan  infested  designs  and  VeriCoq-IFT  successfully  captures  possible  information  leakage  channels. 
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Progress  vs.  Proposed  Plan  of  Activities 

Figure  5  shows  the  three-year  plan  for  this  ARO-sponsored  project.  In  the  end  of  the  third  year,  we  have 
prepared  and  developed  all  of  what  has  been  projected  through  the  end  of  the  project.  We 
implemented  Vericoq  as  an  automatic  Verilog  to  Coq  converter  to  acquire  the  exact  circuit  functionality 
and  structure  in  Coq.  It  automates  part  of  the  PCHIP  methodology  and  helps  the  developers  to  focus  on 
the  definition  of  security  properties  and  construction  of  their  proofs.  Enforcing  information  flow  policies 
for  DES  and  AES  circuits  has  been  earlier  presented  in  [2,  3]  which  we  revised  and  improved  for  Vericoq- 
IFT  development.  Vericoq-IFT  automates  the  whole  process  of  enforcing  information  flow  policies 
including  Verilog  to  Coq  conversion,  security  theorems  generation,  proof  construction  and  verification. 
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Figure  5.  Overview  of  planned  activities  in  the  ARO-sponsored  project 
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